Hello All,
Greetings!
Once you dump the below config into the device, make sure you exit from the configuration mode(#) and enter back into config mode using "configure private" with the specified user as configure private is the only command allowed to enter the configuration mode.
set system login class Test-permissions idle-timeout 60
set system login class Test-permissions permissions all
set system login class Test-permissions allow-commands "(configure private)"
set system login class Test-permissions deny-commands "(configure)|(configure exclusive)"
set system login class Test-permissions allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input .*)"
set system login class Test-permissions deny-configuration "(protocols bgp disable)|(protocols isis disable)|(protocols mpls disable)|(protocols ldp disable)|(system login)|(interfaces lo0)|(interfaces.* vlan-tagging)|(interfaces.* flexible-vlan-tagging)|(interfaces.* per-unit-scheduler)|(interfaces.* disable)|(class-of-service interfaces.* output-traffic-control-profile)|(interfaces .* hierarchical-scheduler)|(interfaces.*)"
Create a user test and map it with class "Test-permissions" and set a 6 digit plain text password.[For Ex- test123].
Then, exit the terminal and try to login to the device with the user "test" login and "test123" password. Then, enter the configuration mode only by "configure private".
After Entering the configure private mode, the user cannot view the "show system login" command as the command is not in the allowed configuration list.
Lab output:-
login: test
Password:
Last login: Thu May 7 10:16:31 from 172.29.186.149
--- JUNOS 19.1R1-S4.2 Kernel 64-bit JNPR-11.0-20191223.5f5c7dc_buil
test@jtac-mx480-r2032-re0> configure ?
Possible completions:
private Work in private database (other's changes do not show) -- Only 1 option.
test@jtac-mx480-r2032-re0> configure private
warning: uncommitted changes will be discarded on exit
Entering configuration mode
Users currently editing the configuration:
labroot terminal pts/1 (pid 15828) on since 2020-05-07 10:00:00 UTC, idle 00:28:05
[edit]
[edit]
test@jtac-mx480-r2032-re0# show system lo?
Possible completions:
> location Location of the system, in various forms
[edit]
test@jtac-mx480-r2032-re0# show system login ---- "show system login is not allowed"
^
syntax error.
For making any change to the above configuration, you need to login back with the user having class super-user credentials and modify the configuration.
---------------------------------------------------------
Coming to the Configuration issue:-
Yes, the issue is with the existing configuration. You need to add - (interfaces .* unit .* family * inet * filter * input). The allow-configuration should first match the filter type and then the filter name.
allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input .*)|(interfaces .* unit .* family * inet * filter * input)";
I hope this helps. Please mark "Accept as solution" if this answers your query.
Kudos are appreciated too!
Best Regards,
Lingabasappa H